On 2020-07-15 19:55, Gunnar Niels wrote:
Hello, I'm experimenting with VMs and firewalld while trying to get comfortable
with CentOS 8 and am hitting a bit of a wall, hopefully someone here can
point me in the right direction.

[What I'd like to do]

I have a LAN (192.168.2.0/24) with my CentOS 8 VM host (192.168.2.3). I also
have a file server with a samba share at 192.168.2.2. On my VM host, I'm trying
to run a Windows VM so I can use a USB device that has Windows only drivers, and
then write some files to my samba share. However, I don't trust
Windows, so I want
to block all network traffic associated with this VM *except* the
samba connection
to my file server. I'm using libvirt to run this VM, and thought I'd
like to have
a dedicated libvirt virt network that's "disconnected" in this way; it has no
connection ability apart from that which I whitelist. This network is called
"libvirt_discon", and it uses libvirt NAT forwarding and DHCP.
Its subnet is 192.168.100.0/24.

[What I've done]

I created a new firewalld zone called "libvirt_discon" and assigned the libvirt
network's dev "virbr1" to the zone (this is done via the libvirt network xml).
I added dhcp to the list of the zone's services, and can confirm this allows
the machine to get an ip address. I set the zone's target to "%%REJECT%%" since
I want this to be the default behavior of the zone. Then I tried to whitelist
samba with the following rich rule:

firewall-cmd --zone=libvirt_discon --add-rich-rule='rule family=ipv4
destination address=192.168.2.2 service name=samba accept'

This does not work; I'm testing with a fedora machine on the libvirt-discon
network and trying to list the samba shares, my connection is
immediately rejected:

$ smbclient --user=samba --list=192.168.2.2
do_connect: Connection to 192.168.2.2 failed (Error NT_STATUS_HOST_UNREACHABLE)

[Questions]

I suspect I'm stumbling because I'm using libvirt NAT instead of a
bridged device (which
admitedly I don't fully understand). Dumping the nft ruleset, it looks like my
zone settings strictly affect the zone's input chain. At some point my packets
need to traverse the NAT from virbr1 (zone libvirt_discon) to my eth
NIC (zone public),
and back again. I'm not sure how this works, could someone shed some
light on that?

Do I need to enable masquerade on one of the zones here, and if so
which one or both?
When exactly do I need to enable masquerade?

Are these considered FORWARDed packets, and therefore the INPUT chain rules I've
actually written with my rich rule not apply? (They demonstrably are
not logging..)

Thank you very much for your time, hopefully someone can point me in the right
direction based on what I'm trying to accomplish.

I believe you're having the same types of issues I had earlier in June.  You may want to read through
the archive and the thread "How to troubleshoot". 

I was unaware that libvirt inserts its own set of FW rules.

Basically, enlightenment came for me when I was directed to

https://wiki.libvirt.org/page/Networking#Forwarding_Incoming_Connections

The passage which addressed the issue was....

"By default, guests that are connected via a virtual network with <forward mode='nat'/> can make any outgoing network connection they like. Incoming connections are allowed from the host, and from other guests connected to the same libvirt network, but all other incoming connections are blocked by iptables rules."

I changed the mode to "route" and I get the behavior I need for all the VM's and IPv4.